2018
Introduction to WebAssembly
I’ve started seeing WebAssemly (WASM) stuff popping up in a few places, most notably CloudFlare’s recent anti-container isolated v8 workload stuff and I wanted to understand it a little better. Essentially, WebAssembly is a way to compile stuff to a browser-native binary format .wasm, which you can then load with JavaScript and interact with. Since this is binary, I wanted to start with a C program. Since it’s C, to…
(Re)Evaluating Qubes OS as a pentesting platform
Laptop hardening is difficult at the best of times, and it’s made worse by the conflicting requirements we have for our workstations. With one laptop, we need to have work email and chat set up, we need to be able to spin up lab environments to test cool stuff we’re interested in, and we need to be able to run various tools on client engagements that may require us to…
Waiting for goDoH
“Exfiltration Over Alternate Protocol” techniques such as using the Domain Name System as a covert communication channel for data exfiltration is not a new concept. We’ve used the technique for many years at SensePost, including Haroon & Marco’s 2007 BH/DC talk on Squeeza. In the present age this is a well understood topic, at least amongst Infosec folks, with a large number of resources, available, online that aim to enlighten those…
Mallet in the Middle
I recently had an assessment reviewing a kiosk application. As I have been working on Mallet recently, this seemed like a perfect opportunity to put Mallet in between the kiosk and its upstream, and see how the kiosk worked. This is a practical walkthrough to help you replicate the setup for your own MitM needs. The initial state of the network The end result The hardware I used to achieve…
Linux Heap Exploitation Intro Series: Set you free() – part 2
Hello there! On this part we are focusing on abusing chunk creation and heap massaging in hope of overwriting the __malloc_hook weak pointer. Before getting into all the juicy stuff let’s remember some key things from last post. The value returned by png_get_uint_32 is of type unsigned integer For a 32 bit integer, the following happens: 0xffffffff + 1 = 0 fread will read values into the destination unless it can’t read from source…
Efficient HTTP Scripting in the Shell
Javier had a simple shell script he posted to our internal chat a few days ago. It’s goal was to pull all the IP ranges for a country in preparation for a footprint from https://ipinfo.io/ (Let’s use PL as an example). Given this involved pulling multiple webpages, I was interested to know what the most efficient approach to this in the shell would be. Truthfully, the actual problem, pulling data…
punching messages in the q
We’ve done several assessments of late where we needed to (ab)use MQ services. We’ve detailed our experiences and results below. Built a tool, punch-q, so you don’t have to go through the same, and included some info for blue teams, including an osquery extension. Depending on how old a version you are working with, or which document you read online, you might know IBM’s Message Queue solution as MQSeries, Webshere…
Mallet, a framework for creating proxies
Thanks to IoT and other developments, we’re having to review more and more non-HTTP protocols these days. While the hardware is interesting to look at, one can often find vulnerabilities at a network layer too. With many of the non-HTTP-only proxies having fallen out of maintenance or requiring a significant amount of custom code to be written for each unique protocol encountered, we decided to build a tool to make…
Decoding RF Protocols Within GRC
I’ve been fascinated by SDR and everything you can do with it for a long time, and from a pentesters perspective, I thought it would be awesome to be able to fuzz random devices. RF devices are everywhere, and people have used SDR to mess with lots of devices, such as portable traffic lights, weather stations, and older car key fobs. The thing is, getting started is much harder than…
A new look at null sessions and user enumeration
Hello, TLDR; I think I found three new ways to do user enumeration on Windows domain controllers, and I wrote some scripts for it. Over the years, I have often used the NULL session vulnerability to enumerate lists of users, groups, shares and other interesting information from remote Windows systems. For the uninitiated, Windows exposes several administrative and hidden shares via SMB by default. Some of these shares allow one…
Page 1 of 2
Next